All posts by Ian Stevens

Other

Ransomware and other cyber security threats – what you can do.

The recent outbreak of the Wannacry ransomware brought renewed attention to the importance of a well-crafted cybersecurity strategy.  Every company should have a strategy in place regardless of its size.  If you don’t have one yet, there is no time like the present to begin.  We previously published an article detailing some key-focus points that should be addressed when developing an organizational-wide cybersecurity strategy.

In this article, we drill down into a handful of steps that can be taken now to begin securing your company’s network and data.  This is not meant to be an all-encompassing guide.  This is only a starting point.   These steps should already be familiar for those that have already implemented a cybersecurity plan.  However, the most comprehensive plans are worthless if they are not being executed.

 

1. Make sure all OS & software updates/patches have been applied.

Microsoft and other software developers such as Adobe and Oracle release updates and patches on a regular basis to improve usability and, more importantly, address security issues.  Secure your computer systems by taking the time to install these updates.  Turn on automatic updates whenever possible.  Set reminders for yourself to check for and install any updates and patches.  If you forget once, it is easier to forget again and before you know it months have gone by.

If you are running a PC with a version of Windows earlier than 10, be sure to install any updates and then run the tool to check for available updates again.  In many cases, certain updates will not be available until other updates have already been installed.

2. Migrate to a Current Operating System.

Organizations are keeping their existing computers longer than they once did.  There can be any number of reasons for this – the computers are “fast enough” to serve the needs of the company, the cost to replace the machines may be too high, or perhaps you need them to support a piece of legacy software that cannot run on new computers.  These are all valid reasons but as an OS matures fewer security patches are issued.  Eventually, the developer will cease all support.  Most newer operating systems will run on older hardware.  However, if your hardware cannot support the latest operating system, it may be time for an upgrade as well.

3. Install Antivirus Software.

This should be a no brainer.  Many people think they’ll never be a target for an attack and as such don’t bother.  For those of you out there thinking you’re “too small” to be a target, here is a sobering statistic: 85% of targets are small businesses.  Do your research.  There are some good options out there, many of which are free.   Make sure protection is installed on all computers.  Run scans on a regular basis.  Check for and install updates on a regular basis.  Antivirus software cannot do its job if it doesn’t know what to protect you from.

4. Password Administration.

More than 50% of people use the same password for all of their logins. Remembering one password is far easier than having a different one for each and every service.  This makes compromising access to your corporate systems much easier.  Employees should be required to use complex passwords. You can also request passwords to be changed on a regular basis.

5. Set User Access Permissions.

Employees only need access to the data required to do their job.  Do they need access to certain sensitive information? Do they need permission to install programs?  Narrow an employee’s access and permission only to what is needed.  This will better protect your systems should their login be compromised.

6. Backup Your Data.

You may need to restore lost or corrupted data should you be hit with ransomware or your systems are disrupted by another type of attack.  Backing up your data to an external hard drive that is always connected to your computer or network isn’t enough. That data can become compromised as well if your backup is connected to the same computer or network that suffers an attack.  Hard drives are relatively inexpensive these days.  Keep multiple backups off-site and swap them out on a regular basis.  It is far easier and less costly to recreate or update a few files than to have to try to recreate years’ worth of data.  Another option is to use a cloud-based backup service.  Your data is stored off-site and most (but not all) of the burden of protection is transferred to your storage vendors such as Amazon Drive or Carbonite.

7. Transition All Your Data to the Cloud.

This step is a little more advanced than the others.  As we discussed in point 6, having your data in the cloud takes a lot of the burden of protecting that data off you and transfers it to your storage vendor.  You are reducing the impact ransomware can have by not storing critical information on your computer or network.  Keep in mind, however, cloud storage can still be vulnerable to ransomware if you upload an infected file.  That is why it is imperative you look for a vendor that can retain multiple versions of files if you decide to go the cloud storage route.  You can restore a previous clean version with minimal effort should a file become infected.

8. Discuss Cyber Liability Insurance with a Risk Advisor.

You can do everything to protect your computer network and data. The reality is no system is perfect.  Cyber liability can’t stop you from having a ransomware attack or data breach.   It will help to cover the costs of investigating the breach.  It will help you in the defense of claims from the attack & potential data loss.  Many policies may also include cyber extortion costs to address a ransomware attack.

Cyber liability tends to be written on the basis that at least some basic security controls are in place. It is easy to say you are performing these steps on an application.  However, if a claim results which could have been prevented by following these steps, it may not be covered.

Contact one of our Risk Advisors today by clicking here to learn more about cyber liability and how it can help your company.

Workers Compensation Insurance, Workers Compensation Premium Audits

NYSIF WC audit with Out of State Payrolls

NYSIF WC audit with out of state payrolls

Workers Compensation audits with the New York State Insurance Fund can often be complicated and stressful undertakings. Some of the potential

Contact a Risk Advisor to discuss you NYSIF WC audit with out of state payrolls.

issues employers may face are weekly payroll limitations, the use of independent contractors & subcontractors, and wrap ups. Another issue that can often go overlooked and prove to be just as costly is how to address WC audits with out of state payrolls.

The general belief is that the State Fund does not cover out of state injuries. As such, New York employers insured with the Fund will take one of two routes to address the prospect of out of state work:

1. Do not take out of state work. This is by far the simplest method to avoid issues at audit. However, this is not always practical as employers can be missing out on profitable work.
2. Purchase a Work Comp policy to cover the out of state work. This will allow employers to pursue the out of state work and ensure there is proper coverage for their employees.

Purchasing a policy to cover the out of state work seems simple enough but what happens at audit? As employers will now have to deal with two Workers Comp audits great care needs to be taken when documenting the out of state payroll to avoid being charged twice. Employers erroneously believe the simple fact of having another policy is all they need to ensure the out of state work is not picked up by the NYSIF at audit. This is far from the truth.

You may be thinking to yourself how can the State Fund charge for out of state payroll especially there is another policy specifically in place to cover it? It all comes down to the jurisdiction for any potential employee injury claims. There are several factors that can determine where an employee can file for workers comp benefits. Three of those factors are where the employee worked, where they were paid, and where they lived. Depending on the circumstances even though an employee can sustain an injury on an out of state jobsite, they may still be able to file their claim in New York with the State Fund.  As such, the State Fund will attempt to collect premium on the out of state payroll in order to cover these potential claims.

What can be done to avoid this?

Depending on your particular situation steps can be taken to mitigate possibly nullify The New York State Fund’s ability to charge for out of state payrolls.

0. Purchase a Workers Comp policy to cover the out of state work. Step 0? While this was addressed above allows another insurer to fund the risk of potential claims it does not reduce the State Fund’s ability to charge for the out of state payroll in of itself. It only sets the ground work without which there would be little to no possibility to reduce your out of state payroll burden with the State Fund.
1. Clearly document what payroll was earned in-state and what was paid on out of state jobs. Being able to show what payroll was earned where will aid the auditor in determining what should be included in audit. As with point 1, this will likely not be sufficient on its own.
2. File and pay taxes on the payroll earned out of state with that state. The first thing any NYSIF auditor will do is review your quarterly NYS-45 payroll tax forms. Any payroll on the NYS-45 forms could be deemed to have been earned in New York and as such could get picked up at audit. Filing payroll taxes in another state for the payroll earned in that state can be burdensome on both the employer via added administrative costs but also employees as they will now have to file a second state income tax return. Employers should investigate the pros and cons to determine if the cost benefit is worth the added complexity.
3. Use out of state employees. If an employee both lives and works outside of New York State, there is little possibility the State Fund will pick them up at audit. This is especially true if this step is used in conjunction with step 2. For simplicity, (smaller) employers may incorrectly include their employees living and working out of state as part of their New York payroll.

While the steps outline can seem daunting and possibly overwhelming, they do work. By applying these steps we recently help a client save nearly $140,000 on a workers compensation audit with the State Fund.

Contact a Risk Advisor today by CLICKING HERE to see how Metropolitan Risk can assist you in navigating the quagmire of your NYSIF Workers Comp audit with out of state payrolls.

Risk Management

Important Update: Department of Finance New York Warns Not To List Additional Insureds When There’s Automatic Coverage

As of December 14th, 2015 the New York State Department of Financial Services has informed us that insurance producers (Agents & Brokers)  may not list individual additional insureds on a certificate of insurance when the policy provides automatic or blanket additional insured coverage. The department of finance New York also stated that anybody requiring a certificate of that nature would be violating the law.

The Independent Insurance Agents & Brokers of New York (the IIABNY) has asked the DFS to clarify their meaning of the certificates of insurance law that took effect last summer. Several IIABNY members have asked if the new law allows them to list additional insureds when the policy does not mention those entities specifically by name. Lots of certificate holders ask to have additional insureds listed on certificates.

This is Section 502 of the new law, which the IIABNY has found to be open to interpretation:

“(b) No person or governmental entity shall wilfully require the inclusion of terms, conditions or language of any kind, including warranties or guarantees, that the insurance policy provides coverage or otherwise sets forth terms and conditions in a certificate of insurance, if the insurance policy referenced by such certificate of insurance does not expressly include such terms, conditions, or language…. [Emphasis added]

(c) A certificate of insurance shall not amend, extend, or alter the coverage provided by the insurance policy to which the certificate of insurance makes reference. A certificate of insurance shall further not confer to any person any rights beyond those expressly provided by the policy of insurance referenced therein.”

According to the IIABNY, the word “expressly” in provision (b) may be the one open to the most interpretation. Via an email sent to the IIABNY on December 10th by DFS attorney:

“An insurance agent may not issue a certificate of insurance that lists the names of specific additional insureds when the policy referenced provides automatic coverage for additional insureds through a blanket or automatic additional insured endorsement.  In addition, an entity may not require the insurance agent to list the names of specific additional insureds on the certificate of insurance in such a situation.”

Metropolitan Risk Advisory and the IIABNY suggest one of two responses when a member receives requests like this:

  • Inform anyone making the request that New York law forbids issuing the certificate as requested. Provide a copy of the relevant policy provision or endorsement.
  • Ask the insurer to endorse the policy by adding additional insureds individually by name.

Seems like this will be rife with future problems as the folks who issue permits like square peg and square hole. They don’t want to be forced to think. If it’s not exactly as they want it they will reject the permit which will force the Agent /Brokers to request specific endorsements which will continue to drive up costs unnecessarily for everyone. Seem like the only thing Albany can get right is graft. They score very well as it relates to indictments and convictions.

For more information on this matter, contact a Risk Advisor today via the link provided or by calling (914)-357-8444.